California Consumer Privacy Act: Get Up to Speed [Free Guide]
A few years ago, the forthcoming GDPR shook up the web design industry — online companies and agencies alike scrambled to understand the legal jargon behind the law so they could protect themselves and their clients. As a response, we created a GDPR service offering to educate our clients on the law and ensure their products are in compliance. Now, we are seeing a similar event happen with the CCPA.
What is the CCPA?
The California Consumer Privacy Act is a law that passed in California in 2018 and will take effect on January 1, 2020. It’s the data protection cousin to the GDPR (General Data Protection Regulation) in the EU. And just as GDPR affects businesses not only in the EU, CCPA will affect those outside of California. The CCPA focuses specifically on giving Californians the right to know how their data is being used by companies and to ask for control over it.
Who does the CCPA affect?
The law protects “consumers” defined as ‘a natural person who is a California resident’. A business is affected by the CCPA if they are based or do business in California and meet any of the following criteria:
- Your company generates gross revenue of more than $25 million a year
- Your company receives or shares personal information of more than 50,000 individuals
- Your business earns at least half of its annual revenue by selling the personal information of California residents
Consumer Rights Under the CCPA
- The right of Californians to know what personal information is being collected about them.
- The right of Californians to know whether their personal information is sold or disclosed and to whom.
- The right of Californians to say no to the sale of personal information.
- The right of Californians to access their personal information.
- The right of Californians to equal service and price, even if they exercise their privacy rights.
How CCPA Defines Personal Information
From the legal text:
“Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
This includes: real name, alias, address, usernames, website, email, SSN, passport, drivers license number, records of purchasing history or consumer tendencies, biometric data, browsing history, search history, any information regarding a consumer’s interaction with a website, location data, and more.
Let’s break down what each of those rights means.
1. The right of Californians to know what personal information is being collected about them.
Unlike GDPR, there is no mention of explicit consent to use of the data.
2. The right of Californians to know whether their personal information is sold or disclosed and to whom.
A third party that has been sold data cannot resell that data unless the consumer has received explicit notice and is provided an opportunity to exercise the right to opt-out.
3. The right of Californians to say no to the sale of personal information
A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information. It should go without saying, but after making this request, a business must then refrain from selling that individual’s personal data.
A business cannot sell the data of a consumer less than 16 years old if they have knowledge of their age unless they get the explicit consent of 13-16 year olds or the parental consent if they are less than 13
The business has to wait 12 months before they can request authorization from the consumer to sell their data again.
4. The right of Californians to access their personal information
Consumers have the right to request that a business disclose the information they have collected on them, including the source, purpose, and third parties who they share it with within the last 12 months.
The business must provide this information, free of charge, either by mail or electronically within 45 days. If it is electronic, it must be readable and transmittable to other entities by the consumer (no strange, unopenable files)
A business is not required to provide this information more than twice in a 12 month period.
Requesting the data
A business should make available two or more “reasonably accessible” methods for submitting requests for information regarding their data. At a minimum, this is a phone number and a web address.
The business must “Provide a clear and conspicuous link on the business’s Internet homepage, titled ‘Do Not Sell My Personal Information,’”
The consumer must not be required to create an account in order to make this request
Deleting the data
The business must disclose that consumers have this right
The business doesn’t have to comply if deleting the info interferes with a number of things such as completing a user’s transaction, debugging an error, preventing security issues, participating in public research, free speech, etc.
4. The right of Californians to equal service and price, even if they exercise their privacy rights
A business can’t discriminate against a consumer requesting their data be deleted or not sold. A business MAY offer financial incentives for collection and sale of personal info.
Examples of this discrimination include:
- Denying goods or services
- Charging different prices
- Providing a different level of quality
- Suggesting that the consumer will receive a different price or quality
Penalties for not complying with the CCPA
Businesses are given a 30 day grace period to resolve issues, if not fines for violations include:
- $2,500 for unintentional and $7,500 for intentional violations of the Act. (These actions must be brought by the California Attorney General.)
- $100-$750 per incident, per consumer- or actual damages, if higher – for damage caused by a data breach. (These actions may be brought by consumers.)
What this means for businesses and web design
Businesses must make sure that their policies are updated to include CCPA information, and that their employees are trained on these policies. They need to make sure their customers’ stored data can be easily referenced, exported, and deleted.
The “Do Not Sell my Personal Data” link is the most prescriptive design related requirement in the CCPA — expect to see this popping up in footers everywhere. In addition, forms and other methods of data collection must start linking to information on what will be done with the data collected.
CCPA vs. GDPR
|Protects Californians||Protects members of the EU|
|Consumers can opt out of sale of their data but not future collection or request updates||Consumers can request their data is not collected in the future as well as request that incorrect data be updated|
|No mention of dedicated Data Protection Officers||Requires appointment of a Data Protection Officer for companies that process personal data regularly|
|Does not require explicit consent or opt-in, just a mention of how the data will be used||Requires explicit consent from data subjects in order to process data that is not covered by legitimate interest|
|Applies to data collected in the last 12 months||Applies to all data with no time constraint|
We believe CCPA can be considered “GDPR Lite” — it’s not as encompassing, but similar. Other states like Nevada and Maine have also been working on their own privacy act, and it is likely there could be country-wide standards in the future. At ETR, our goal is to continue to follow GDPR level standards, ensuring we are ready for any future expansions of US law, and recommend the same for you. The criteria for CCPA may mean that many businesses are not yet affected, but we should be proactive. Best of luck in your data privacy journey and let us know your plan to implement these new regulations. If you’d like a takeaway version of this article, download it here.